Preventing data breaches
Finally... an easy and effective way to fight the data breach epidemic.
By using encryption, your organisation can dramatically mitigate against – and even prevent – data breaches. This simultaneously bolsters your own cyber-security defences, helps satisfy legislation requirements, minimises the possibility of financial penalties while protecting the rights and freedoms of your customers.
Data breaches: a problem of epidemic proportions
The data breach problem has escalated into an epidemic in recent years, largely unabated. It is a worldwide problem. In just three recent breaches, two-thirds of all Americans, half of all South Africans and half of all Filipinos - a total of 283 million people - have had their personal data leaked, including highly personal and sensitive information such as identity numbers, passport numbers, and fingerprint records.
ScramFS encryption can greatly mitigate and prevent many data breaches.
How encryption protects against data breach
Encryption works because it is remarkably effective at stopping a security breach from escalating into a data breach.
In the absence of encryption, a security breach has a high probability of leading to a data breach. For example, in situations like:
- data left on a public Amazon S3 bucket or a public web server (often due to misconfiguration),
- physical theft or loss of devices, and
- compromised cloud credentials due to phishing attacks
unauthorised people may access the data, without the consent and knowledge owner of the data. Although access-level controls should have prevented this, recent history has shown that human mistakes occur time after time. It is clear that relying solely on humans is ineffective and error prone.
With encryption, the situation changes dramatically. This is a technological safeguard remains effective even if human errors such as misconfiguration occurs. A treasure trove of data that would otherwise be unprotected will be complete gibberish to anyone who does not have the encryption key.
Despite these benefits, encryption remains heavily underutilised as a protection mechanism. In fact, research has shown that in the mid-2010s, only about 4% of breached data was encrypted.
Why is this the case? Unfortunately, encryption has had a reputation for being cumbersome and expensive. ScramFS dramatically changes this situation and provides a viable, cost effective and easy-to-implement option for organisations looking to implement encryption.
How ScramFS helps protect against data breach
In order to protect against data breach, best practices are to encrypt both secondary and primary copies of data. ScramFS offers the tools for protecting both.
|Type of data||Who's responsible||ScramFS tool to use|
|Primary copy: the “master” version of the data, obtained when data is first introduced into a system||Software developers||ScramFS API|
|Secondary copies: made when copying or exporting data from a system, usually for backup, archiving, transfer, and migration purposes||System administrators / DevOps engineers||ScramFS CLI (Command Line Interface), ScramExplorer GUI|
Our research has shown that most data breaches happen from secondary copies of data – such as backups, migrations and transfers.
On the other hand, encrypting the primary copy of data greatly helps satisfy legal regulations such as GDPR (Article 25) and HIPAA.
Although implementing protections at both levels is ideal, we recognise that organisations have limited I.T. resources. Therefore we recommend starting with safeguarding secondary copies of data.
Protecting secondary copies of data
With the right tools, protecting the secondary copies of data is easy and offers the greatest cyber-security “bang for buck”. Therefore, we recommend that any organisation begin by protecting secondary copies.
Protecting secondary copies of data involves identifying a company’s data management processes, and then using policy and technological safeguards to ensure that encryption is used appropriately. The ScramFS Command Line Interface and ScramExplorer GUI offers system administrators an extremely easy way to encrypt data. Here are some examples of how technology can bring policy into reality:
|All database backups must be encrypted||ScramFS CLI – encrypt every backup by following the recipe in our ScramFS Encryption Cookbook|
|All computer source code must be exported, encrypted and archived monthly||ScramFS CLI – perform GIT clones and encrypt by following our recipe in the ScramFS Encryption Cookbook|
|All data pushed into cloud storage must be encrypted||By policy, only allow the ScramFS CLI to access cloud storage. Then script the CLI in cron jobs / scheduled tasks to encrypt data that is pushed to the cloud.|
|All transfers of data to 3rd party data processors must be encrypted when in transit, using 3rd party cloud storage for data hosting||ScramFS CLI – perform automated exports / imports of data to cloud storage with automatic encryption.|
ScramExplorer – copy files with automatic encryption using the GUI when ad-hoc access is required by other people.
The good news for system administrators is that the ScramFS CLI offers a user experience that is both familiar and comfortable. Existing scripts that manipulate data in plaintext can easily be converted to use encryption with minimal fuss. The examples below show how easy it is.
Further reading: ScramFS Command Line Interface
Protecting primary copies of data
Protecting primary copies of data involves building encryption into the web, server, desktop, mobile and IoT applications that collect the data. This is a task of software developers. ScramFS provides an easy-to-use API for developers, so they can implement security and privacy by design and default.
Unfortunately, applications that implement encryption tend to be rare. As a consequence, sensitive data is often stored in plaintext, making them susceptible to data breaches when access controls are bypassed or broken.
We see a number of reasons for the lack of cryptography in systems, including:
- the lack of “off-the-shelf” crypto solutions,
- the difficulty in manually implementing encryption into applications,
- the scarcity of experts qualified to design and implement cryptographic systems, and
- the difficulties in searching encrypted data.
ScramFS completely revolutionises these situations. Thanks to its architecture, using ScramFS means that developers never need to code any cryptography. Instead, developers code against a file system interface, while all the cryptography is performed behind the scenes.
By completely eliminating the need for developers to code cryptography, it not only makes application development faster and cheaper, it also improves security because developers cannot make any crypto mistakes.